Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

b.exe - malware ??


  • Please log in to reply
15 replies to this topic

#1 cheryl g

cheryl g

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 31 July 2009 - 11:22 PM

I have something called b.exe on my computer.

I have windows XP service pack 3 with all current MS updates.

It happened because I left a 12 yr old neighbor unattended online.

I have deleted the extra "desks" so I only have to scan one. I have run several Malwarebytes and CCleaner scans.

It manifests itself by opening multiple extra internet windows...advertising and random stuff. At times it also has unwanted audio that does not appear to be associated with the extra windows that open.

Thanks in advance for your help. Cheryl

BC AdBot (Login to Remove)

 


m

#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 01 August 2009 - 10:46 AM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Please download Autoruns

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for B.exe
Right-click on the entry and choose delete.
Reboot your computer

And Then

Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.

Edited by Computer Pro, 01 August 2009 - 05:07 PM.

Computer Pro

#3 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 01 August 2009 - 07:31 PM

Autoruns is installed and appears to be working.

However I do not see b.exe anywhere. Could my settings be wrong or I could be blind.....it's a long list. :thumbsup:

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:21 AM

Posted 01 August 2009 - 07:35 PM

Besides tools the Computer Pro suggests run this one also

Please download and run Process Explorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 01 August 2009 - 08:44 PM

Thanks Mark. Hope this helps!


Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 1.92 Deferred Procedure Calls
System 4
SMSS.EXE 272 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 320 1.92 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 344 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 388 1.92 Services and Controller app Microsoft Corporation
SVCHOST.EXE 552 Generic Host Process for Win32 Services Microsoft Corporation
rapimgr.exe 2240 ActiveSync RAPI Manager Microsoft Corporation
iexplore.exe 3652 0.96 Internet Explorer Microsoft Corporation
SVCHOST.EXE 596 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 632 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 1052 Windows Security Center Notification App Microsoft Corporation
SVCHOST.EXE 700 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 760 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 860 LexBce Service Lexmark International, Inc.
LEXPPS.EXE 912 LEXPPS.EXE Lexmark International, Inc.
SPOOLSV.EXE 896 Spooler SubSystem App Microsoft Corporation
SVCHOST.EXE 1532 Generic Host Process for Win32 Services Microsoft Corporation
CDAC11BA.EXE 1564 Macrovision RTS Service Macrovision
SVCHOST.EXE 1668 Generic Host Process for Win32 Services Microsoft Corporation
WDFMGR.EXE 1808 Windows User Mode Driver Manager Microsoft Corporation
alg.exe 308 Application Layer Gateway Service Microsoft Corporation
SVCHOST.EXE 2300 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 400 LSA Shell (Export Version) Microsoft Corporation
Explorer.EXE 1768 Windows Explorer Microsoft Corporation
igfxtray.exe 1228 igfxTray Module Intel Corporation
hkcmd.exe 1244 hkcmd Module Intel Corporation
lxbbbmgr.exe 1260 Lexmark X74-X75 Button Manager Lexmark International, Inc.
lxbbbmon.exe 1304 Lexmark X74-X75 Button Monitor Lexmark International, Inc.
qttask.exe 1276 Apple Computer, Inc.
FaxMonitor.exe 1156
Logi_MwX.Exe 1356 Logitech Launcher Application Logitech Inc.
winampa.exe 1476
apdproxy.exe 1460 Adobe Photoshop Album Starter Edition 3.0 component Adobe Systems Incorporated
wcescomm.exe 1448 ActiveSync Connection Manager Microsoft Corporation
ctfmon.exe 1688 CTF Loader Microsoft Corporation
FSScrCtl.exe 732 Screen Saver Control applet Stardust Software
SonyTray.exe 2088
firefox.exe 2692 4.81 Firefox Mozilla Corporation
procexp.exe 2840 2.88 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
autoruns.exe 3532 Autostart program viewer Sysinternals - www.sysinternals.com
AcroRd32.exe 2900 Adobe Reader 7.0 Adobe Systems Incorporated
ctfmon.exe 2256 CTF Loader Microsoft Corporation
b.exe 1136
msa.exe 1972 85.58

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:21 AM

Posted 01 August 2009 - 09:11 PM

Let's look for rootkits

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

or

http://ad13.geekstogo.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Posted Image
Chewy

No. Try not. Do... or do not. There is no try.

#7 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 01 August 2009 - 09:21 PM

How's this?


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/01 21:19
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF85A8000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF3FB5000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AN983.sys
Image Path: C:\WINDOWS\System32\DRIVERS\AN983.sys
Address: 0xF8687000 Size: 36224 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8560000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF8C92000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BCMDM.sys
Image Path: C:\WINDOWS\System32\DRIVERS\BCMDM.sys
Address: 0xF82D0000 Size: 871360 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8B03000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8A07000 Size: 12288 File Visible: - Signed: -
Status: -

Name: CdaC15BA.SYS
Image Path: C:\WINDOWS\System32\drivers\CdaC15BA.SYS
Address: 0xF3B8C000 Size: 10112 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF8827000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF86F7000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF8637000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8627000 Size: 36352 File Visible: - Signed: -
Status: -

Name: driverx.sys
Image Path: C:\WINDOWS\system32\drivers\driverx.sys
Address: 0xF3C2C000 Size: 35072 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8677000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3E14000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B0B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF82A8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8CDF000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.sys
Image Path: Fastfat.sys
Address: 0xF850A000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF88B7000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF87E7000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF891F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF8540000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8B01000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8578000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 81152 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF8807000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF8947000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF82C8000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF3449000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF86A7000 Size: 52480 File Visible: - Signed: -
Status: -

Name: i81xdnt5.dll
Image Path: C:\WINDOWS\System32\i81xdnt5.dll
Address: 0xBF9D5000 Size: 704512 File Visible: - Signed: -
Status: -

Name: i81xnt5.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
Address: 0xF8465000 Size: 159712 File Visible: - Signed: -
Status: -

Name: Imapi.SYS
Image Path: C:\WINDOWS\System32\Drivers\Imapi.SYS
Address: 0xF86E7000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8AFB000 Size: 5504 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF3EF4000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF4058000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF85F7000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF88AF000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8AF7000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF2DFD000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF83C9000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF84F3000 Size: 92288 File Visible: - Signed: -
Status: -

Name: L8042pr2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
Address: 0xF86B7000 Size: 46976 File Visible: - Signed: -
Status: -

Name: LMouFlt2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
Address: 0xF86C7000 Size: 63328 File Visible: - Signed: -
Status: -

Name: MASPINT.SYS
Image Path: C:\WINDOWS\System32\Drivers\MASPINT.SYS
Address: 0xF8B39000 Size: 8096 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8B05000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF889F000 Size: 30080 File Visible: - Signed: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF8AC7000 Size: 16128 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF88A7000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF82C4000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8607000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF3954000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF3F1A000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8937000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF87B7000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF8A8F000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF84AC000 Size: 105344 File Visible: - Signed: -
Status: -

Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xF88BF000 Size: 25504 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF84C6000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF8A87000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF3D14000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF8259000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8767000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF87C7000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF3FD7000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF893F000 Size: 30848 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8CAA000 Size: 2944 File Visible: - Signed: -
Status: -

Name: p3.sys
Image Path: C:\WINDOWS\System32\DRIVERS\p3.sys
Address: 0xF8667000 Size: 42752 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF8294000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF887F000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8B37000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8597000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF8877000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF83A5000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8B47000 Size: 7872 File Visible: No Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF88D7000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF8887000 Size: 20000 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF8AD3000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF8717000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF8727000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF8737000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF88DF000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF3F8A000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8B07000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF8707000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF370A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sbpci.sys
Image Path: C:\WINDOWS\system32\drivers\sbpci.sys
Address: 0xF83EC000 Size: 412800 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xF3A9C000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF8A7F000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF86D7000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF852E000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF37EA000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF8AFD000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF3B44000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF3FFF000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF88CF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF8747000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xF37D2000 Size: 97280 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF815B000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF8AFF000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF8757000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF8270000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xF894F000 Size: 25856 File Visible: - Signed: -
Status: -

Name: usbscan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbscan.sys
Address: 0xF82C0000 Size: 15104 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF88C7000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF892F000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF8451000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8617000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF87F7000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8957000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF39CF000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF8AF9000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF8ADB000 Size: 12032 File Visible: - Signed: -
Status: -

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:21 AM

Posted 01 August 2009 - 09:34 PM

Posted Image

The file tab only

not the driver tab
Chewy

No. Try not. Do... or do not. There is no try.

#9 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 02 August 2009 - 08:19 AM

I scanned it again.....the file tab is empty.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:21 AM

Posted 02 August 2009 - 09:35 AM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#11 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 02 August 2009 - 01:55 PM

GMER 1.0.15.15011 [jnld0c00.exe] - http://www.gmer.net
Rootkit scan 2009-08-02 13:51:55
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\driverx.sys entry point in "init" section [0xF3C326FE]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3652] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [00417163] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [0041724D] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00417163] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [004172F5] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [0041724D] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!SetWindowPos] [004172F5] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!ShowWindow] [0041724D] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2124] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!SetWindowPos] [004172F5] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [00417163] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [0041724D] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00417163] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [004172F5] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [0041724D] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!SetWindowPos] [004172F5] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!CreateWindowExW] [004171D8] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!ShowWindow] [0041724D] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\default\LOCALS~1\Temp\b.exe[2192] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!SetWindowPos] [004172F5] C:\DOCUME~1\default\LOCALS~1\Temp\b.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [004178C0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [00417936] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] [00417AC0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MessageBoxW] [00417ACC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [004179AC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!CreateWindowExW] [00417936] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!MessageBoxW] [00417ACC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowPos] [00417A56] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!DialogBoxParamW] [00417AC0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamA] [00417AC0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [00417AC0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [004178C0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00417936] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxA] [00417ACC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxW] [00417ACC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectA] [00417ABA] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectW] [00417ABA] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [00417A56] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [004179AC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!CreateWindowExW] [00417936] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!DialogBoxParamW] [00417AC0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!ShowWindow] [004179AC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!SetWindowPos] [00417A56] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!MessageBoxW] [00417ACC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!MessageBoxA] [00417ACC] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2208] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!MessageBoxIndirectW] [00417ABA] C:\WINDOWS\msa.exe

---- EOF - GMER 1.0.15 ----

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:21 AM

Posted 02 August 2009 - 02:05 PM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#13 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 02 August 2009 - 09:07 PM

Ok. Here are the results of first scan:


Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 3

8/2/2009 8:40:56 PM
mbam-log-2009-08-02 (20-40-56).txt

Scan type: Quick Scan
Objects scanned: 121656
Time elapsed: 35 minute(s), 20 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\default\Local Settings\Temp\b.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coldware (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\default\Local Settings\Temp\b.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\default\local settings\Temp\a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\default\local settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\default\local settings\Temp\d.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\default\local settings\Temp\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\default\local settings\Temp\e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\default\local settings\Temp\f.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\TASKS\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\TASKS\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.





Restarted computer. 2nd scan results here:

Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 3

8/2/2009 8:59:13 PM
mbam-log-2009-08-02 (20-59-13).txt

Scan type: Quick Scan
Objects scanned: 121679
Time elapsed: 13 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:21 AM

Posted 02 August 2009 - 09:21 PM

You might need to do that on all profiles on the computer with atfcleaner and MBAM.

Something maybe hiding
Chewy

No. Try not. Do... or do not. There is no try.

#15 cheryl g

cheryl g
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 07 August 2009 - 07:18 PM

Chewy,

Thanks so much for your help. :thumbsup: Works great now!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users